Re: [PATCH v8 06/11] x86/CPU: Adapt assembly for PIE support

Re: [PATCH v8 06/11] x86/CPU: Adapt assembly for PIE support

[Alexey Dobriyan]

Thomas Garnier wrote:
> -		"pushq $1f\n\t"
> +		"movabsq $1f, %q0\n\t"
> +		"pushq %q0\n\t"
>  		"iretq\n\t"
>  		UNWIND_HINT_RESTORE
>  		"1:"

Fake PIE. True PIE looks like this:

ffffffff81022d70 <do_sync_core>:
ffffffff81022d70:       8c d0                   mov    eax,ss
ffffffff81022d72:       50                      push   rax
ffffffff81022d73:       54                      push   rsp
ffffffff81022d74:       48 83 04 24 08          add    QWORD PTR [rsp],0x8
ffffffff81022d79:       9c                      pushf
ffffffff81022d7a:       8c c8                   mov    eax,cs
ffffffff81022d7c:       50                      push   rax
ffffffff81022d7d:  ===> 48 8d 05 03 00 00 00    lea    rax,[rip+0x3]        # ffffffff81022d87 <do_sync_core+0x17>
ffffffff81022d84:       50                      push   rax
ffffffff81022d85:       48 cf                   iretq
ffffffff81022d87:       c3                      ret

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>

--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -710,7 +710,8 @@ static inline void sync_core(void)
 		"pushfq\n\t"
 		"mov %%cs, %0\n\t"
 		"pushq %q0\n\t"
-		"pushq $1f\n\t"
+		"leaq 1f(%%rip), %q0\n\t"
+		"pushq %q0\n\t"
 		"iretq\n\t"
 		UNWIND_HINT_RESTORE
 		"1:"

Re: [PATCH v8 06/11] x86/CPU: Adapt assembly for PIE support

[Thomas Garnier]

On Mon, Jul 8, 2019 at 12:09 PM Alexey Dobriyan <adobriyan@gmail.com> wrote:
>
> Thomas Garnier wrote:
> > -             "pushq $1f\n\t"
> > +             "movabsq $1f, %q0\n\t"
> > +             "pushq %q0\n\t"
> >               "iretq\n\t"
> >               UNWIND_HINT_RESTORE
> >               "1:"
>
> Fake PIE. True PIE looks like this:

I used movabsq in couple assembly changes where the memory context is
unclear and relative reference might lead to issues. It happened on
early boot and hibernation save/restore paths. Do you think a relative
reference in this function will always be accurate?

>
> ffffffff81022d70 <do_sync_core>:
> ffffffff81022d70:       8c d0                   mov    eax,ss
> ffffffff81022d72:       50                      push   rax
> ffffffff81022d73:       54                      push   rsp
> ffffffff81022d74:       48 83 04 24 08          add    QWORD PTR [rsp],0x8
> ffffffff81022d79:       9c                      pushf
> ffffffff81022d7a:       8c c8                   mov    eax,cs
> ffffffff81022d7c:       50                      push   rax
> ffffffff81022d7d:  ===> 48 8d 05 03 00 00 00    lea    rax,[rip+0x3]        # ffffffff81022d87 <do_sync_core+0x17>
> ffffffff81022d84:       50                      push   rax
> ffffffff81022d85:       48 cf                   iretq
> ffffffff81022d87:       c3                      ret
>
> Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
>
> --- a/arch/x86/include/asm/processor.h
> +++ b/arch/x86/include/asm/processor.h
> @@ -710,7 +710,8 @@ static inline void sync_core(void)
>                 "pushfq\n\t"
>                 "mov %%cs, %0\n\t"
>                 "pushq %q0\n\t"
> -               "pushq $1f\n\t"
> +               "leaq 1f(%%rip), %q0\n\t"
> +               "pushq %q0\n\t"
>                 "iretq\n\t"
>                 UNWIND_HINT_RESTORE
>                 "1:"

Re: [PATCH v8 06/11] x86/CPU: Adapt assembly for PIE support

[Alexey Dobriyan]

On Mon, Jul 08, 2019 at 12:35:13PM -0700, Thomas Garnier wrote:
> On Mon, Jul 8, 2019 at 12:09 PM Alexey Dobriyan <adobriyan@gmail.com> wrote:
> >
> > Thomas Garnier wrote:
> > > -             "pushq $1f\n\t"
> > > +             "movabsq $1f, %q0\n\t"
> > > +             "pushq %q0\n\t"
> > >               "iretq\n\t"
> > >               UNWIND_HINT_RESTORE
> > >               "1:"
> >
> > Fake PIE. True PIE looks like this:
> 
> I used movabsq in couple assembly changes where the memory context is
> unclear and relative reference might lead to issues. It happened on
> early boot and hibernation save/restore paths. Do you think a relative
> reference in this function will always be accurate?

As long as iretq target is not too far it should be OK.

I'm not really sure which issues can pop up.

IRETQ is 64-bit only, RIP-relative addressing is 64-bit only.
Assembler (hopefully) will error compilation if target is too far.

And it is shorter than movabsq.

> > ffffffff81022d70 <do_sync_core>:
> > ffffffff81022d70:       8c d0                   mov    eax,ss
> > ffffffff81022d72:       50                      push   rax
> > ffffffff81022d73:       54                      push   rsp
> > ffffffff81022d74:       48 83 04 24 08          add    QWORD PTR [rsp],0x8
> > ffffffff81022d79:       9c                      pushf
> > ffffffff81022d7a:       8c c8                   mov    eax,cs
> > ffffffff81022d7c:       50                      push   rax
> > ffffffff81022d7d:  ===> 48 8d 05 03 00 00 00    lea    rax,[rip+0x3]        # ffffffff81022d87 <do_sync_core+0x17>
> > ffffffff81022d84:       50                      push   rax
> > ffffffff81022d85:       48 cf                   iretq
> > ffffffff81022d87:       c3                      ret
> >
> > Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
> >
> > --- a/arch/x86/include/asm/processor.h
> > +++ b/arch/x86/include/asm/processor.h
> > @@ -710,7 +710,8 @@ static inline void sync_core(void)
> >                 "pushfq\n\t"
> >                 "mov %%cs, %0\n\t"
> >                 "pushq %q0\n\t"
> > -               "pushq $1f\n\t"
> > +               "leaq 1f(%%rip), %q0\n\t"
> > +               "pushq %q0\n\t"
> >                 "iretq\n\t"
> >                 UNWIND_HINT_RESTORE
> >                 "1:"

Re: [PATCH v8 06/11] x86/CPU: Adapt assembly for PIE support

[Thomas Garnier]

On Tue, Jul 9, 2019 at 11:39 AM Alexey Dobriyan <adobriyan@gmail.com> wrote:
>
> On Mon, Jul 08, 2019 at 12:35:13PM -0700, Thomas Garnier wrote:
> > On Mon, Jul 8, 2019 at 12:09 PM Alexey Dobriyan <adobriyan@gmail.com> wrote:
> > >
> > > Thomas Garnier wrote:
> > > > -             "pushq $1f\n\t"
> > > > +             "movabsq $1f, %q0\n\t"
> > > > +             "pushq %q0\n\t"
> > > >               "iretq\n\t"
> > > >               UNWIND_HINT_RESTORE
> > > >               "1:"
> > >
> > > Fake PIE. True PIE looks like this:
> >
> > I used movabsq in couple assembly changes where the memory context is
> > unclear and relative reference might lead to issues. It happened on
> > early boot and hibernation save/restore paths. Do you think a relative
> > reference in this function will always be accurate?
>
> As long as iretq target is not too far it should be OK.
>
> I'm not really sure which issues can pop up.
>
> IRETQ is 64-bit only, RIP-relative addressing is 64-bit only.
> Assembler (hopefully) will error compilation if target is too far.
>
> And it is shorter than movabsq.

Agree, I will change it and run some tests for the next iteration.

>
> > > ffffffff81022d70 <do_sync_core>:
> > > ffffffff81022d70:       8c d0                   mov    eax,ss
> > > ffffffff81022d72:       50                      push   rax
> > > ffffffff81022d73:       54                      push   rsp
> > > ffffffff81022d74:       48 83 04 24 08          add    QWORD PTR [rsp],0x8
> > > ffffffff81022d79:       9c                      pushf
> > > ffffffff81022d7a:       8c c8                   mov    eax,cs
> > > ffffffff81022d7c:       50                      push   rax
> > > ffffffff81022d7d:  ===> 48 8d 05 03 00 00 00    lea    rax,[rip+0x3]        # ffffffff81022d87 <do_sync_core+0x17>
> > > ffffffff81022d84:       50                      push   rax
> > > ffffffff81022d85:       48 cf                   iretq
> > > ffffffff81022d87:       c3                      ret
> > >
> > > Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
> > >
> > > --- a/arch/x86/include/asm/processor.h
> > > +++ b/arch/x86/include/asm/processor.h
> > > @@ -710,7 +710,8 @@ static inline void sync_core(void)
> > >                 "pushfq\n\t"
> > >                 "mov %%cs, %0\n\t"
> > >                 "pushq %q0\n\t"
> > > -               "pushq $1f\n\t"
> > > +               "leaq 1f(%%rip), %q0\n\t"
> > > +               "pushq %q0\n\t"
> > >                 "iretq\n\t"
> > >                 UNWIND_HINT_RESTORE
> > >                 "1:"

[PATCH v8 00/11] x86: PIE support to extend KASLR randomization

[Thomas Garnier]

Splitting the previous serie in two. This part contains assembly code
changes required for PIE but without any direct dependencies with the
rest of the patchset.

Changes:
 - patch v8 (assembly):
   - Fix issues in crypto changes (thanks to Eric Biggers).
   - Remove unnecessary jump table change.
   - Change author and signoff to chromium email address.
 - patch v7 (assembly):
   - Split patchset and reorder changes.
 - patch v6:
   - Rebase on latest changes in jump tables and crypto.
   - Fix wording on couple commits.
   - Revisit checkpatch warnings.
   - Moving to @chromium.org.
 - patch v5:
   - Adapt new crypto modules for PIE.
   - Improve per-cpu commit message.
   - Fix xen 32-bit build error with .quad.
   - Remove extra code for ftrace.
 - patch v4:
   - Simplify early boot by removing global variables.
   - Modify the mcount location script for __mcount_loc intead of the address
     read in the ftrace implementation.
   - Edit commit description to explain better where the kernel can be located.
   - Streamlined the testing done on each patch proposal. Always testing
     hibernation, suspend, ftrace and kprobe to ensure no regressions.
 - patch v3:
   - Update on message to describe longer term PIE goal.
   - Minor change on ftrace if condition.
   - Changed code using xchgq.
 - patch v2:
   - Adapt patch to work post KPTI and compiler changes
   - Redo all performance testing with latest configs and compilers
   - Simplify mov macro on PIE (MOVABS now)
   - Reduce GOT footprint
 - patch v1:
   - Simplify ftrace implementation.
   - Use gcc mstack-protector-guard-reg=%gs with PIE when possible.
 - rfc v3:
   - Use --emit-relocs instead of -pie to reduce dynamic relocation space on
     mapped memory. It also simplifies the relocation process.
   - Move the start the module section next to the kernel. Remove the need for
     -mcmodel=large on modules. Extends module space from 1 to 2G maximum.
   - Support for XEN PVH as 32-bit relocations can be ignored with
     --emit-relocs.
   - Support for GOT relocations previously done automatically with -pie.
   - Remove need for dynamic PLT in modules.
   - Support dymamic GOT for modules.
 - rfc v2:
   - Add support for global stack cookie while compiler default to fs without
     mcmodel=kernel
   - Change patch 7 to correctly jump out of the identity mapping on kexec load
     preserve.

These patches make some of the changes necessary to build the kernel as
Position Independent Executable (PIE) on x86_64. Another patchset will
add the PIE option and larger architecture changes.

The patches:
 - 1, 3-11: Change in assembly code to be PIE compliant.
 - 2: Add a new _ASM_MOVABS macro to fetch a symbol address generically.

diffstat:
 crypto/aegis128-aesni-asm.S         |    6 +-
 crypto/aegis128l-aesni-asm.S        |    8 +--
 crypto/aegis256-aesni-asm.S         |    6 +-
 crypto/aes-x86_64-asm_64.S          |   45 ++++++++++------
 crypto/aesni-intel_asm.S            |    8 +--
 crypto/aesni-intel_avx-x86_64.S     |    3 -
 crypto/camellia-aesni-avx-asm_64.S  |   42 +++++++--------
 crypto/camellia-aesni-avx2-asm_64.S |   44 ++++++++--------
 crypto/camellia-x86_64-asm_64.S     |    8 +--
 crypto/cast5-avx-x86_64-asm_64.S    |   50 ++++++++++--------
 crypto/cast6-avx-x86_64-asm_64.S    |   44 +++++++++-------
 crypto/des3_ede-asm_64.S            |   96 ++++++++++++++++++++++++------------
 crypto/ghash-clmulni-intel_asm.S    |    4 -
 crypto/glue_helper-asm-avx.S        |    4 -
 crypto/glue_helper-asm-avx2.S       |    6 +-
 crypto/morus1280-avx2-asm.S         |    4 -
 crypto/morus1280-sse2-asm.S         |    8 +--
 crypto/morus640-sse2-asm.S          |    6 +-
 crypto/sha256-avx2-asm.S            |   18 ++++--
 entry/entry_64.S                    |   16 ++++--
 include/asm/alternative.h           |    6 +-
 include/asm/asm.h                   |    1 
 include/asm/paravirt_types.h        |   25 +++++++--
 include/asm/pm-trace.h              |    2 
 include/asm/processor.h             |    6 +-
 kernel/acpi/wakeup_64.S             |   31 ++++++-----
 kernel/head_64.S                    |   16 +++---
 kernel/relocate_kernel_64.S         |    2 
 power/hibernate_asm_64.S            |    4 -
 29 files changed, 306 insertions(+), 213 deletions(-)

Patchset is based on next-20190708.

[PATCH v8 06/11] x86/CPU: Adapt assembly for PIE support

[Thomas Garnier]

Change the assembly code to use only relative references of symbols for the
kernel to be PIE compatible. Use the new _ASM_MOVABS macro instead of
the 'mov $symbol, %dst' construct.

Position Independent Executable (PIE) support will allow to extend the
KASLR randomization range below 0xffffffff80000000.

Signed-off-by: Thomas Garnier <thgarnie@chromium.org>
---
 arch/x86/include/asm/processor.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index 3eab6ece52b4..3e2154b0e09f 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -713,11 +713,13 @@ static inline void sync_core(void)
 		"pushfq\n\t"
 		"mov %%cs, %0\n\t"
 		"pushq %q0\n\t"
-		"pushq $1f\n\t"
+		"movabsq $1f, %q0\n\t"
+		"pushq %q0\n\t"
 		"iretq\n\t"
 		UNWIND_HINT_RESTORE
 		"1:"
-		: "=&r" (tmp), ASM_CALL_CONSTRAINT : : "cc", "memory");
+		: "=&r" (tmp), ASM_CALL_CONSTRAINT
+		: : "cc", "memory");
 #endif
 }
 
-- 
2.22.0.410.gd8fdbe21b5-goog